Secure Port 25 only for Mail Server ONLY.

We have recently configured our mikrotik router. All the initial ip filter, telnet disabling and other protective rules using the following below:

/ip firewall address-list
add address=0.0.0.0/8 comment=“Self-Identification [RFC 3330]” list=Bogons
add address=10.0.0.0/8 comment=“Private[RFC 1918] - CLASS A # Check if you nee
d this subnet before enable it” list=Bogons
add address=127.0.0.0/8 comment=“Loopback [RFC 3330]” list=Bogons
add address=169.254.0.0/16 comment=“Link Local [RFC 3330]” list=Bogons
add address=172.16.0.0/12 comment=“Private[RFC 1918] - CLASS B # Check if you
need this subnet before enable it” list=Bogons
add address=192.0.2.0/24 comment=“Reserved - IANA - TestNet1” list=Bogons
add address=192.88.99.0/24 comment=“6to4 Relay Anycast [RFC 3068]” list=
Bogons
add address=198.18.0.0/15 comment=“NIDB Testing” list=Bogons
add address=198.51.100.0/24 comment=“Reserved - IANA - TestNet2” list=Bogons
add address=203.0.113.0/24 comment=“Reserved - IANA - TestNet3” list=Bogons
add address=224.0.0.0/4 comment=
“MC, Class D, IANA # Check if you need this subnet before enable it”
list=Bogons
/ip firewall filter
add action=accept chain=forward comment=“defconf: accept established,related”
connection-state=established,related
add action=drop chain=forward comment=“defconf: drop invalid”
connection-state=invalid
add action=accept chain=input port=69 protocol=udp
add action=accept chain=forward port=69 protocol=udp
add action=drop chain=forward comment=
“defconf: drop all from WAN not DSTNATed” connection-nat-state=!dstnat
connection-state=new in-interface=ether1
add action=drop chain=forward comment=“Drop to bogon list” dst-address-list=
Bogons
add action=accept chain=input protocol=icmp
add action=accept chain=input connection-state=established
add action=accept chain=input connection-state=related
add action=drop chain=input in-interface=ether1

In addition, our mail server is configured like this:
Nat rule: chain=dstnat, protocol=tcp, dst.port=25, action=dst-nat, to address=192.168.x.x, to ports=25

All our mails are coming and going WITHOUT ISSUES but the problem is WE GOT blackilisted 4 TIMES IN 28 DAYS and one of the main RECOMMENDATIONS is for us to do the following below:

If the IP is a NAT firewall, we strongly recommend configuring the firewall to prevent machines on your network connecting to the Internet on port 25, except for machines that are supposed to be mail servers.

How do I do the above?

You might want to have a look at firewall basics.

In general, the best approach to build a firewall is “drop everything but a list of exceptions”, as opposed to “accept everything but a list of exceptions” used in the default configuration for simplicity of a home AP configuration where some generic assumptions regarding the list of exceptions to be dropped may be taken.

But to quickly resolve your urgent matter, the following script line should do what you need:
/ip firewall filter add chain=forward place-before=[find comment~“from WAN”] action=drop protocol=tcp dst-port=25 src-address=**!lan-side.ip.of.your.mail.server in-interface=!**ether1 log=yes log-prefix=“suspicious SMTP client:”

This rule drops attempts to establish a TCP connection to port 25 except connection attempts coming from outside (i.e. via ether1 which seems to be your WAN interface) and from your mail server’s IP address.

The log=yes part helps you identify devices in your network which are responsible for the blacklisting, as each attempt of such device to establish a SMTP connection will be logged, showing the IP address of the device. /log print where topics~“firewall” message~“suspicious” will show only these log records.

Thank you so much…will have a look at the link for basics. I will keep a close eye and post any further updates.